Hacker group says Apple developer site susceptible to phishing hacks

An "ethical" hacker group says it has given Apple just a few days to patch …

A group that calls itself YGN Ethical Hacker Group has identified potential security holes in Apple's website for Mac and iOS developers. Those security holes could allow malicious hackers to use the Apple Developer Connection in phishing attacks to gain access to users' login and password information.

According to information supplied to Networkworld, the group identified three potential security issues on the site, including arbitrary URL redirects, cross-site scripting, and HTTP response splitting. In particular, the ability to arbitrarily redirect to other URLs could make phishing attacks against developers login credentials more likely to succeed.

"By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials," the group said. "Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance." In other words, even though the redirect will cause users to end up at a malicious site, the original link would appear to come from developer.apple.com.

Since developers use their Apple ID to access password-protected areas of Apple's developer website, such as forums, beta OS releases, and SDKs, a successful phishing attack could give hackers access to a user's iTunes Connect account, iTunes Store purchases, and more. If the e-mail address is valid, hackers could also try using password cracks to get into a user's e-mail as well.

YGN said that it alerted Apple to the problem in late April, and that the company quickly acknowledged getting the report. "We take the report of a potential security issue very seriously," Apple told YGN. However, it doesn't appear Apple has closed the security holes.

To encourage Apple to act, the group says that it will release its discoveries to the security mailing list Full Disclosure "in a few days."

This is how Anon/Lulz/whoever else should have operated if they truly wanted to show corporations their weaknesses: inform them, give them time to fix it, and if it doesn't get fixed by a certain time, put pressure by threatening to release the attack vector.

Of course, Anon/Lulz could have done that, and the corps never did anything about it, so their results (released user info, etc) were viewed as sufficient punishment for not fixing the hole.

So the real question is are they still white hats if they release the info to the public to force the security change?

Yep. They gave Apple the chance, and they chose not to fix it. If they keep quiet they would just be letting some other hackers come in later. As white hats at this point, it is responsible to release the information of the problem to the public and force apple to change it. This is all standard whitehat procedure, because, let's face it, big companies won't patch a hole unless they are forced to.

Is the bottom line that one has to be careful when receiving an email with a link to a web site, even if the URL is in the developer.apple.com? Maybe that could be made more explicit in the article, so we have a take-away message :-) (not trying to criticize the writing, just a genuine question). Thanks!

It doesn't sound like a very "ethical" cracker group to me if they threaten to release the exploit(s) in a few days. If they follow through with their threat they are no better than the Lulzers and should be dealt with accordingly when caught.

This is how Anon/Lulz/whoever else should have operated if they truly wanted to show corporations their weaknesses: inform them, give them time to fix it, and if it doesn't get fixed by a certain time, put pressure by threatening to release the attack vector.

One can only hope that this kind of cooperation between hackers and online companies will be more common.

But it also means that some would be putting away the "V" masks and setting aside the anarchist/revolution ranting and getting down to serious work to try to make the internet better.

This is how Anon/Lulz/whoever else should have operated if they truly wanted to show corporations their weaknesses: inform them, give them time to fix it, and if it doesn't get fixed by a certain time, put pressure by threatening to release the attack vector.

Of course, Anon/Lulz could have done that, and the corps never did anything about it, so their results (released user info, etc) were viewed as sufficient punishment for not fixing the hole.

Meh, either way I feel the hacking spree is drawing to a close.

Actually, LulzSec was (at least claiming to be) anti-sec. And this is the exact kind of behavior that the anti-sec movement hates.

Anti-sec is about the idea that not everything is suitable for being public domain, and among those things is security exploits. The idea is that there is no greater benefit of public release of exploits such as these. Mainly because it's possible that nobody else would have discovered it.

It doesn't sound like a very "ethical" cracker group to me if they threaten to release the exploit(s) in a few days. If they follow through with their threat they are no better than the Lulzers and should be dealt with accordingly when caught.

Read the article again. They didn't threaten to release it in a few days, they told apple about it several months ago, and are only now talking about releasing it. Apple was given plenty of warning, and so far has failed to act. Companies have shown that when faced with an "in the wild" exploit they can patch holes in relatively short periods of a week or two, sometimes less. Yet a lot of the time when privately contacted about security holes it takes them months, sometimes even years to fix the problem. Unfortunately what this group is doing is necessary in order to get companies to take security exploits seriously.

It doesn't sound like a very "ethical" cracker group to me if they threaten to release the exploit(s) in a few days. If they follow through with their threat they are no better than the Lulzers and should be dealt with accordingly when caught.

Read the article again. They didn't threaten to release it in a few days, they told apple about it several months ago, and are only now talking about releasing it. Apple was given plenty of warning, and so far has failed to act. Companies have shown that when faced with an "in the wild" exploit they can patch holes in relatively short periods of a week or two, sometimes less. Yet a lot of the time when privately contacted about security holes it takes them months, sometimes even years to fix the problem. Unfortunately what this group is doing is necessary in order to get companies to take security exploits seriously.

I don't need to read it again. They have no ethics regardless if they release the info immediately, or threaten a company that they'll release info in a given time frame. Again, when it comes down to it they are no better than a malicious group if they follow through with the threat. What would releasing a companies info prove? Nothing. Just another lame group wanting the spotlight.

They didn't threaten to release it in a few days, they told apple about it several months ago

Late April is several months ago? Lets see May, June... 2 months since late April. That is a rather short period of time for a complex website and lets also factor in the volume of work in flight for WWDC 2011, etc. during that time.

It doesn't sound like a very "ethical" cracker group to me if they threaten to release the exploit(s) in a few days. If they follow through with their threat they are no better than the Lulzers and should be dealt with accordingly when caught.

Read the article again. They didn't threaten to release it in a few days, they told apple about it several months ago, and are only now talking about releasing it. Apple was given plenty of warning, and so far has failed to act. Companies have shown that when faced with an "in the wild" exploit they can patch holes in relatively short periods of a week or two, sometimes less. Yet a lot of the time when privately contacted about security holes it takes them months, sometimes even years to fix the problem. Unfortunately what this group is doing is necessary in order to get companies to take security exploits seriously.

I don't need to read it again. They have no ethics regardless if they release the info immediately, or threaten a company that they'll release info in a given time frame. Again, when it comes down to it they are no better than a malicious group if they follow through with the threat. What would releasing a companies info prove? Nothing. Just another lame group wanting the spotlight.

Wow.

Someone points out that you miss read the article and instead of saying, "ah, sorry I missed that" or "thanks for pointing that out" you dig your heels in and take the most ludicrous position imaginable. Oh, well, it's the internet, one would rather be a tool than admit even the least bit of fallibility

It's not clear to me how long any site should require to fix this kind of problem. It would seem that a reasonable bit of analysis would be required to understand what was creating the bug that allows the exploit and then making a repair, then testing and validating it. Not the work of a few hours and not something to be taken lightly on any large-scale web site. But I don't know this because I've never been involved with anything like the scale of Apple's web presence. It's like any security hole - you have to make sure the fix doesn't make the hole bigger or just move it to another location.

Someone points out that you miss read the article and instead of saying, "ah, sorry I missed that" or "thanks for pointing that out" you dig your heels in and take the most ludicrous position imaginable. Oh, well, it's the internet, one would rather be a tool than admit even the least bit of fallibility

Wow is right. How does what I said sound incorrect? I didn't miss anything.

If this group had ethics they'd report their findings to, in this case, Apple and be done with it. No threats, no reporting to sites like Ars (which only helps spread the security info issues). Just do nothing leave Apple to fix it. If they get cracked by some other group _then_ it is Apple's fault and they can then deal with the fallout.

Also, if you are going to insult me by calling me a tool, do it in person, not behind a keyboard.

Wow is right. How does what I said sound incorrect? I didn't miss anything.

If this group had ethics they'd report their findings to, in this case, Apple and be done with it. No threats, no reporting to sites like Ars (which only helps spread the security info issues). Just do nothing leave Apple to fix it. If they get cracked by some other group _then_ it is Apple's fault and they can then deal with the fallout.

It has to do with accountability. It's expensive for more than just Apple if their services are hacked, not to mention that typically people reuse the same passwords for everything. If it was just a risk to Apple, fine... but it isn't. This forces accountability. If I had an account in this service I would have to deal with whatever the fallout is too.

Quote:

Also, if you are going to insult me by calling me a tool, do it in person, not behind a keyboard.

1. "they have no ethics...," not only is this statement pure hyperbole the group in question clearly is following a very particular ethical code. Step one--inform Apple. Step two - after there's no response from Apple threaten to release vulnerability to public this puts pressure on Apple to fix and/or warns Joe Public that there is a problem and to change passwords and be alert because Apple isn't taking action. Maybe this isn't your ethical code but it's certainly an ethical code.

2. "they are no better than a malicious group..." is a false equivalency. Clearly they are not malicious because they haven't used the exploit to damage Apple or their customers, as a matter of fact there is no evidence that they've used the exploit period or have even done anything illegal. So your statement that they should be "dealt with accordingly" is absurd. An argument can be made that it's better that they publish it rather than keep it a secret as clearly someone else could duplicate their work and use it maliciously and none of us would be warned until the damage was done.

Perhaps "tool" was the wrong word. How does "intentionally dense" sound?

Is the bottom line that one has to be careful when receiving an email with a link to a web site, even if the URL is in the developer.apple.com? Maybe that could be made more explicit in the article, so we have a take-away message :-) (not trying to criticize the writing, just a genuine question). Thanks!

Yes, that was one of the intended take-aways. When I get a suspicious e-mail, I always check the URL to make sure the domain is correct. A lot of phishing e-mails commonly do something like: developer.apple.com-hackerz.net, or something to that effect. A quick glance might lead someone to think it was from apple, but really it's some phishing site. With the arbitrary redirects, the URL might look something like: developer.apple.com/redirect.woa?=%20%20Lotsofescapechars%20. The actual URL you would end up at might be in plain text, or it could be escaped characters than you can't even parse just by looking at it.

A lot of URLs in e-mais from ADC have redirects like that, so it's not an automatic red flag. All Apple really has to do is add some checking to its redirect function on the server to make sure it doesn't redirect outside of developer.apple.com or even *.apple.com.

Wow is right. How does what I said sound incorrect? I didn't miss anything.

If this group had ethics they'd report their findings to, in this case, Apple and be done with it. No threats, no reporting to sites like Ars (which only helps spread the security info issues). Just do nothing leave Apple to fix it. If they get cracked by some other group _then_ it is Apple's fault and they can then deal with the fallout.[

Quote:

It has to do with accountability. It's expensive for more than just Apple if their services are hacked, not to mention that typically people reuse the same passwords for everything. If it was just a risk to Apple, fine... but it isn't. This forces accountability. If I had an account in this service I would have to deal with whatever the fallout is too.

Good point and I agree. The people with accounts, etc registered with Apple would have to deal with the outcome as well. Many could be affected in some way or another. Back to my ethical point of view; let Apple know about the potential exploits and do not threaten to release the info. If the crackers release the info then you are in the position of being affected, only that much sooner, rather than later by another group. I hope my point is now understood.

1. "they have no ethics...," not only is this statement pure hyperbole the group in question clearly is following a very particular ethical code. Step one--inform Apple. Step two - after there's no response from Apple threaten to release vulnerability to public this puts pressure on Apple to fix and/or warns Joe Public that there is a problem and to change passwords and be alert because Apple isn't taking action. Maybe this isn't your ethical code but it's certainly an ethical code.

2. "they are no better than a malicious group..." is a false equivalency. Clearly they are not malicious because they haven't used the exploit to damage Apple or their customers, as a matter of fact there is no evidence that they've used the exploit period or have even done anything illegal. So your statement that they should be "dealt with accordingly" is absurd. An argument can be made that it's better that they publish it rather than keep it a secret as clearly someone else could duplicate their work and use it maliciously and none of us would be warned until the damage was done.

Perhaps "tool" was the wrong word. How does "intentionally dense" sound?

Your position is ludicrous as well. Since I am one who could be affected by this vulnerability I see them as a malicious group at this point. So "Clearly they are not malicious because..." is a false statement. And "Dealt with accordingly" is what I would like to see happen so it is probably not as absurd as you think it is. I think their ethics are questionable as well.

My question is: If Apple knew about this in April, especially seeing how other companies were recently hacked, why hasn't Apple done anything about it?

Are they that arrogant to believe that they are immune to attack?

Are we so arrogant that we know exactly how they set up their budget. We all seem to assume that the guys that have to fix this problem don't get paid. Apple has to be able to get things done and they have fixed resources these days just like the rest of us.

My question is: If Apple knew about this in April, especially seeing how other companies were recently hacked, why hasn't Apple done anything about it?

Are they that arrogant to believe that they are immune to attack?

Are we so arrogant that we know exactly how they set up their budget. We all seem to assume that the guys that have to fix this problem don't get paid. Apple has to be able to get things done and they have fixed resources these days just like the rest of us.

It doesn't sound like a very "ethical" cracker group to me if they threaten to release the exploit(s) in a few days. If they follow through with their threat they are no better than the Lulzers and should be dealt with accordingly when caught.

Read the article again. They didn't threaten to release it in a few days, they told apple about it several months ago, and are only now talking about releasing it. Apple was given plenty of warning, and so far has failed to act. Companies have shown that when faced with an "in the wild" exploit they can patch holes in relatively short periods of a week or two, sometimes less. Yet a lot of the time when privately contacted about security holes it takes them months, sometimes even years to fix the problem. Unfortunately what this group is doing is necessary in order to get companies to take security exploits seriously.

I don't need to read it again. They have no ethics regardless if they release the info immediately, or threaten a company that they'll release info in a given time frame. Again, when it comes down to it they are no better than a malicious group if they follow through with the threat. What would releasing a companies info prove? Nothing. Just another lame group wanting the spotlight.

Wow.

Someone points out that you miss read the article and instead of saying, "ah, sorry I missed that" or "thanks for pointing that out" you dig your heels in and take the most ludicrous position imaginable. Oh, well, it's the internet, one would rather be a tool than admit even the least bit of fallibility

lol owned"ethical" hackers? apple? I can barely muster a meh.I did, however, just have some cookies that were most malicious. mmmmm

Considering their user base assumes their Macs are 100% virus proof I would say YES

YES YES YES YES

Did I say yes? In fact I think it's a pity it's just a website and not Mac OS X in general. Not that I advocate hacking really but Apple does seem to think it's immune to many things. Talking to Mac Book owners I've never been once given any logical reason to buy one. When I point out why my primary computers aren't Macs I end up saying a bunch of things they usually don't even understand. So I think Apple has every right to think it's immune to attack, because everybody loves them and those that do always will.

Apparently.

To be honest I'm surprised there hasn't been a group dedicated to hacking Apple products, such a small market share would be tempting to try and reduce with any product.